As various forms of distributed computing, such as cloud computing, have come to dominate the computing landscape, security has become a bottleneck issue that currently prevents the complete migration of various capabilities and systems associated with sensitive data, such as financial data, to cloud-based infrastructures, and/or other distributive computing models. This is because any vulnerability in any of the often numerous virtual assets provided and/or utilized in a cloud-based infrastructure, such as operating systems, virtual machines and virtual server instances, connectivity, etc., represents a potential threat.
The types of vulnerabilities of concern vary widely from asset to asset, application to application, development platform to development platform, and deployment platform to deployment platform. For instance, as an illustrative example, vulnerabilities can take the form of a software flaw, or software created in a known vulnerable version of a language. As another example, a vulnerability can be the failure to comply with one or more security policies, such as a lack of mandated/proper authentication, an unacceptable level of access, or other insufficient security measures, required to meet the security policies and/or parameters associated with the virtual asset, service, system, application, application development platform, and/or application deployment platform. Consequently, the number, and variety, of potential vulnerabilities can be overwhelming, and many currently available vulnerability management and verification approaches lack the ability to track and control these potentially numerous vulnerabilities in any reasonably comprehensive, or even logical manner.
As noted above, the situation is particularly problematic in cases where sensitive data, such as financial data, is being provided to, processed by, utilized by, and/or distributed by, the various virtual assets, systems, services, and applications within the cloud. This is because exploitation of vulnerabilities in a given virtual asset, system, service, or application can yield devastating results to the owners, even if the breach is an isolated occurrence and is of limited duration. That is to say, with many types of data, developing or deploying a remedy for a vulnerability after that vulnerability has been exploited is no solution at all because irreparable damage may have already been done.
Consequently, the current approaches to asset management that typically involve addressing vulnerabilities on an ad-hoc basis as they arise, or in a simplistic, uncoordinated, static, and largely manual, manner are no longer acceptable. Indeed, in order for applications and systems that process sensitive data to fully migrate to a cloud-based infrastructure, security issues and vulnerabilities must be addressed in a proactive, anticipatory, and comprehensive manner, where the security and invulnerability to attack of virtual assets is verified well before any potential attack can possibly occur, e.g. before deployment and publishing in a production environment.
However, currently, this type of comprehensive approach to asset management and verification with security management policies is largely unavailable. In addition, in the few cases where a comprehensive approach to asset management and verification is attempted, the vulnerabilities are typically analyzed after deployment of the virtual assets and then each virtual asset is individually vulnerability scanned and/or verified in the production environment. Consequently, currently, asset management and verification is prohibitively expensive and resource intensive, often requiring significant amounts of dedicated hardware, software, and human administrators that are still often utilized in an ad-hoc manner.
Despite the situation described above, asset management currently consists largely of the uncoordinated deployment/application of vulnerability analysis to individual virtual assets and/or verification of compliance of individual virtual assets with security management policies. In addition, currently, when a vulnerability or lack of proper security is identified in an individual virtual asset, remedies are typically applied to each virtual asset individually.
As a result, the resources currently required to perform vulnerability and verification processes, and to remedy vulnerabilities, are prohibitive and often provide an unacceptable level of data, system, service, and/or application security.
Furthermore, one major security issue in a cloud computing environment is that vulnerabilities associated with applications, assets, and virtual assets are not always readily identifiable and/or known or understood at the time the applications and assets are created and deployed, e.g., instantiated, in a given computing environment and, once deployed, accurately identifying potential security breaches, and responding to newly identified vulnerabilities through “normal” communications channels associated with the assets can be challenging, if not impossible.
In addition, in some cases, a malicious entity is able to take control of an asset. In these cases, the malicious entity often takes over, or closes down, normal communications channels associated with the asset. Consequently, in some cases, the malicious entity can mask the fact they have taken control of the asset, and/or be left relatively free to manipulate the asset under its control and access any data used by the asset, with little or no indication, or immediate recourse, for the legitimate owner of the asset.
Given that virtual assets often process and control sensitive data, the situation described above represents a significant issue that must be resolved before highly sensitive data, such as financial data, can be safely processed in a cloud computing environment.
What is needed is a method and system for providing an efficient asset management and verification service that can self-monitor and self-alarm, or respond, to various security vulnerabilities and breach events.